Slack Says You Can Now “Bring Your Own” Encryption Key

Slack security has been given a notable upgrade with the launch today of a new encryption management dashboard that provides more granular security permissions for an admin. It can be purchased as an add-on for business users.

The Enterprise Key Management (EKM) service allows customers to “bring your own” encryption keys (albeit keys have to be hosted on AWS’ Key Management Service, which provides its own Hardware Security Modules).

Slack described the offering as allowing admins detailed logs of all the messages and files and ability to “granularly” revoke key access to specific messages, channels or users, for more bespoke security environments.

It’s aimed at Slack Enterprise Grid customers. Slack Enterprise Grid is the company’s offering for major corporate customers (users include IBM, Oracle, Capital One and Target, Slack says). It comprises “unlimited” work spaces with a centralised admin control panel, with add-ons like EKM.

Slack Security Offering: More Control

Geoff Belknap, Slack’s chief security officer said: “Slack already encrypts your data in transit and at rest. But Slack EKM basically adds an extra layer of protection so that customers—especially those in regulated industries—can share conversations, data and files on Slack, all while still meeting their own risk mitigation requirements.”

He added: “There are a couple of things that make Slack EKM distinctive. First, by allowing customers to bring their own encryption keys (which are then managed in Amazon’s AWS KMS), customers have a lot more control and visibility over their most sensitive data. But what actually makes the design of our system so unique is that, in the case of an incident let’s say, rather than revoking access to the entire product, admins can choose to revoke access in a very granular, highly targeted manner. That granular revocation ensures that teams continue working while admins suss out any risks.”

(While AWS uses FIPS 140-2-validated HSMs, not all customers will appreciate being limited to that services: many financial services companies in the UK, for example, remain highly sceptical of cloud-based security offerings and are keen to retain direct access to their HSMs in their own data centres.)

Cloud technology company Crowdstrike was one of the beta customers of Slack’s EKM. Colin Black, Chief Operating Officer at CrowdStrike, commented in a release: “We immediately saw its [Slack’s EKM] value in giving us total control of our data and the assurance that we’re protected in the event of a security threat in our supply chain.”

Slack’s security whitepaper shows that it supports TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients. It runs a Hackerone Bug Bounty scheme and says it secures its own encryption keys in a “secure server on a segregated network with very limited access.”

Launch Comes Ahead of Listing

The product release comes a month after Slack announced that it was preparing to go public. Unusually, the company – which boasts over 10 million daily active users – is bypassing the usual method of going public (an IPO) in favour of a direct listing.

This allows the company’s shareholders, such as early investors or employees, to begin selling their stock on the exchange with public investors buying stock directly from these insiders, rather than investment bank middlemen.